We use x509 TLS certificates as part of our authentication to activesync. When the certificate renews, the way this works is the profile is removed from the device and re-added with the new credential.
Unfortunately, this means that the activesync account settings are reset to defaults (folders to sync, days, etc) as well as if the user had set the activesync as default account for mail, calendar, contacts.
Under the principle of least surprise, I'd like to force the activesync accounts to be default when provisioning or renewing. I haven't found any way of doing this with the standard AirWatch profile settings, so I was wondering if there's any MDM features I should be asking AirWatch for, or even if there's any custom XML that I can apply.
(Via travel blog Gadling.com)
We have developed an enterprise app as add on to our backend system, which our customers can download from the app store. The app is not working standalone, but requires the corresponding server. Of course our customer don't want to allow their users to install all app updates we provide (~1 update every 2 month), since every release must go through a comprehensive testing process (with their customized backend system) before internal rollout. They either have a mdm solution in place, or have built up their own company app store. Due we are not developing this app for a single customer, we cannot hand out the ipa file. So my question is, how our customers can organize their deployment process to prevent/control updates via the app-store? I really hope you can help me!! THANKS
Apple has added two-factor authentication to some Apple ID functions.
Two-step verification is an optional security feature for your Apple ID. It requires you to verify your identity using one of your devices before you can:
- Sign in to My Apple ID to manage your account.
- Make an iTunes, App Store, or iBookstore purchase from a new device.
- Get Apple ID-related support from Apple.
Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account.
We've noticed that at least some users (including me) are subject to a three day waiting period before activating 2FA. This may be a smart idea to prevent someone else from locking me out of my account. (Or it is paranoid.)
Apple has more information in an FAQ about the feature.
Does it work for you?
I have been struggling with the VPP store (education), specifically, the purchase history section for a while now. It was always a nightmare when I needed to go back into my purchase history and find a specific App and re-dwonload the CSV( for that app.
It can be a huge pain because the site will only show the 20 most recent purchases until you click “show more”. Then you get another 20… and so on… and so on… and you get the pain. It would take me 5 min. just to get all my history to show. Then I would need to use a find command to find all the instances of a particular apps purchase. Again, a pain…
I decided that I MUST find a better way! I went to the Purchase History page, clicked show more until all my history was showing. Selected all the info, copied and pasted it into a Numbers spreadsheet. To my delight all the info coped over perfectly: Order date; Order; Name (with links to app page); Type; Order total; Licenses; Codes (WITH DOWNLOAD LINK).
Now I have a spreadsheet that I can do all the fun things you can with a spreadsheet. Most importantly is has all the live links! As long as I am logged into the correct account on the apps store all the App and download links work perfectly.
From here I will simply add to this spreadsheet as I make purchases and never need to use the stupid purchase history on the Apple site again! Not sure why I didn’t think of this sooner!!! Dense I guess!
Loving life a little more now…
We have a field team of reps that visit retail stores. They are issued an iPad Mini to conduct their reports in the field. We would like to give the District Managers the ability to share their screen with their employees (between 30 and 40 people) to conduct trainings. We will at times need to share documents which I know there are lots of solutions, i.e. Join.Me Pro, but what we really need to be able share the actual screen so we can train them on how to access and fill out the call reports that they will use.
I am having a challenge finding a solution that will allow us to share our iPad screen with 30 to 40 people at once on their PCs or iPads where they can actually watch us using iPad Apps.
It would also be a bonus if this would allow the District Manager to also view an employee's iPad screen to help trouble shoot or answer an individual's question. This only has to share with one or two others at most.
Apple has released iOS 6.1.3, fixing a recent lock screen vulnerability.
The update is available via software update. And as usual, http://ios.e-lite.org/ has compiled links for direct download.
I'm trying to understand how iOS deals with certificates and I'm wondering if anyone can explain a few things to me. I'm working on a system that would provide users with a personal identification certificate for authentication to various services (email, Wi-Fi, websites, etc.) via a configuration profile. Profile creation isn't a problem, but in testing website authentication, it seems that iOS (or Mobile Safari) requires me to provide the CA certificates that should already be on the device.
Here is the certificate chain that my colleague provides me with when I get the user's cert:
AddTrust External CA Root ↳ UTN-USERFirst-Client Authentication and Email ↳ InCommon Standard Assurance Client CA ↳ User's personal certificate
At first, I added the certificate as a single payload of type com.apple.security.pkcs12 with all the CA certificates in the chain included in the p12 data blob. This didn't seem to work since I'd get a warning from MobileSafari in the console log:
no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x1ddccd90>
Along with the following dialog in the browser:
This website requires a certificate The required certificate is not installed. Dismiss
The server's ssl_error_log reported:
Re-negotiation handshake failed: Not accepted by client!?
So I tried breaking out the certs into individual payloads. According to this article, iOS 5 and 6 has "AddTrust External CA Root" and "UTN-USERFirst-Client Authentication and Email" preinstalled and I shouldn't have to install them again. So I just included "InCommon Standard Assurance Client CA" and the user's cert as two separate payloads (of types com.apple.security.pkcs1 and com.apple.security.pkcs12 respectively), but that didn't work. I was only able to get it to work if I installed the entire cert chain (using com.apple.security.root as the payload type for the root cert).
Why is that? Shouldn't it already know about the two CAs? I can understand adding the "InCommon" CA since it's not preinstalled, but It seems strange that I have to explicitly provide the other CA certs.
FWIW, I've found out that there are at least three versions of "UTN-USERFirst-Client Authentication and Email":
Intermediate CA (expires Saturday, May 30, 2020 6:48:38 AM EDT) Intermediate CA (expires Sunday, December 31, 2028 6:59:59 PM EDT) Root CA (expires Tuesday, July 9, 2019 1:36:58 PM EDT)
The root version is the one preinstalled in iOS. When I evaluate the user's cert with the Certificate Assistant in OS X, the cert status is good no matter what chain it uses, but could this multiple CA certs thing be an/the issue?
My employer and site-sponsor Tekserve is hosting two executive lunches in New York City in March. I hope those of you in NYC can make at least one of them. I'll be there (I'm even speaking at the second one), so make sure you say Hi!
Using Custom Apps in the Enterprise
Wednesday, March 20th • 12:00 – 2:00 p.m.
SD26 Contemporary Italian Cuisine • 19 E 26th St. (at Madison Square Park)
Art Chang and Kevin Kim, founders of enterprise app development studio App Orchard, will discuss how custom-built apps can help your enterprise increase profitability, empower workers with real-time data, and drive efficiency.
Seven iPad Deployment Mistakes You Can Avoid
Wednesday, March 27th • 12:00 – 2:00 p.m.
SD26 Contemporary Italian Cuisine • 19 E 26th St. (at Madison Square Park)
I'll be presenting an updated version of my talk on iPad Deployment Mistakes. Tekserve has helped clients like Showtime, Ann Taylor, Cablevision, and the Institute of Culinary Education successfully manage the iPad for thousands of employees. And along the way we've made lots and lots of mistakes. We've learned from these mistakes and you can too.
I wanted to pass on an experience we recently had in our school that may be helpful to others.
There were many reasons we decided to make the move:
- By using the MDM solution that is from the same company as our filter and LMS we gain loads of integration. The most compelling integration we wanted was the ability for our filter to know the user on each device and store that information so a single sign on was enough. We are now able to filter and monitor each iPads internet traffic by individual user! Very important at a private Christian school.
- The integration also made the move to global proxy that much easier.
- Additionally, when I go to our MDM management console the users are automatically linked to our LMS were I can go and easily message them.
- In the future I hope to see, and have heard they are woking on, the ability for a teacher, through our LMS (my big campus) to lock a class of students into an app for a time. (single app mode) The UI would be in the LMS but the actual implementation of the lock can only happen via a supervised device and some kind of MDM. So in this case the teacher would make the request via the LMS that would then send that to the MDM and the MDM would send the profile locking the device into single app mode. Then reverse the process at the teachers request. PRETTY COOL STUFF that could only happen with and integrated LMS = MDM.
- I am aslo very please with the ability of the LS MDM to manage our VPP and Free Apps wirelessly removing the need to use Apple Configurator for App management. We use the personal model in grades 5-8 and the institutional model in grades k-4. In both cases I am able to “suggest” an app wirelessly via the MDM and the end users will be prompted to install. Most importantly in the institutional model it is possible to have them never need to enter the institutional password. It just installs and opens without ever asking them to enter a password at all. VEYR NICE! (I will post more on how this is working, and details on setup later)
The move has been A LOT of work but I am on the home stretch now with only 1st and 2nd grade left.
It has required myself or the end users interaction with every device! That has been the OUCH!!! but it seems to have been worth it.
The LS MDM is less mature that the Casper MDM but it is making strides in the right direction. We have had a number of issues with the LS MDM but the support has been very good (Thanks Kevin). I still highly recommend Casper and we still use it for our adult users. The reasons listed about, along with a few others, however prompted this huge undertaking. I think it has been worth it!! I will give a more definitive answer once it’s DONE!!! SOON!!
I have a rather large question, and so far nobody has been able to provide me with an answer.
I would like to know how to replicate the experience Apple provide shoppers at their stores, by locking down the devices more than usual and having a 'screensaver' that essentially bypasses the lockscreen when tapped.
Normally I would accept the answer "It can't be done" except it has been done, specifically by a company called OTG Experience, who deploy iPads in airport terminals.
OTG PR Video: https://www.youtube.com/watch?v=Vk9ayjA-5mU
In the video (I have another recorded by a colleague at LaGuardia) you can see a screensaver running, the standard springboard, there are no stock iOS apps, no settings icon etc. From what I have heard, this is all done using Configurator, undocumented features and help from Apple.
It's also clear that Tekserve (who's CTO Aaron Freimark created this site) had a hand in this deployment:
You can listen to Mr. Freimark talking about the deployment here, and he specifically says that these "Are Not Jailbroken":
Thanks in advance...
This seems noteworthy.
VentureBeat: Apple owns enterprise: 5 of the top 5 devices activated last quarter…
Seventy-seven percent of all new smartphones and tablets activated in the enterprise last quarter were Apple devices, according to a new report from Good Technology.
The most popular device was Apple’s new iPhone 5, with 32 percent of all activations. The top five devices activated also included the iPhone 4S, iPhone 4, iPad 3, and iPad2. Out of the top 10, eight were Apple devices, including the iPad 4, the aged iPad 1, and the equally venerable iPhone 3GS.
Essentially, it’s utter enterprise domination by Apple’s iOS.
See the graphs and read the complete article at http://venturebeat.com/2013/02/26/apple-owns-enterprise-5-of-the-top-5-d...
About This Site
- Comparison of MDM Providers (559,771)
- Complete List of iOS User-Agent Strings (220,558)
- How to get remote viewing/control of the IPAD screen via internet or preferably 3G? (143,359)
- Apple Configurator vs. MDM (108,903)
- Mobile Device Management (73,870)
- Apple Profile Manager (60,493)
- AirWatch (59,670)
- Gartner Magic Quadrant for MDM (2014, 2012, 2011) (55,079)
- Absolute Manage (54,036)
- Batch Apple ID Creator (52,567)
Comparison of MDM Providers
Forum topic comment by AAAMobilitySolutions 18 hours ago
Forum topic comment by No iDea 21 hours ago
Forum topic comment by mjhancock 22 hours ago
Story comment by enrique.campos 1 day ago
Forum topic comment by s3trios 1 day ago
Forum topic comment by sthoms105 2 days ago
Forum topic comment by don123 2 days ago
Story comment by antoinemoussy 2 days ago
Forum topic added by betolley 2 days ago
Forum topic comment by neodawg 2 days ago
Forum topic comment by nlforrest 3 days ago
Forum topic comment by vaio395 3 days ago
Story added by Aaron Freimark 3 days ago
Forum topic comment by Enchante 4 days ago
Forum topic added by AAAMobilitySolutions 6 days ago
Forum topic comment by mjsanders 6 days ago
Forum topic added by lizl99 1 week ago
Forum topic comment by tech-msg 1 week ago
Forum topic comment by Deric Bolland 1 week ago
Forum topic comment by JMPATLANTA 1 week ago